search

paragonie / csp-builder

Build Content-Security-Policy headers from a JSON file (or build them programmatically)
https://paragonie.com/projects
MIT License
543 stars 40 forks source link

Content security policy for plugin-types #4

Closed Lewiscowles1986 closed 8 years ago

Lewiscowles1986 commented 8 years ago

Awesome idea to make a library for this! :+1:

One dimension the browser looses control even with a CSP is via third-party plugins, which may have little / no enforcement.

The good people at Google via the W3C project have a CSP for white-listing allowed plugins, so a website can use plugins, that might break CSP, but restrict them, so the possible attack space is known (for example we know we don't allow swf files, we are not vulnerable to flash exploits...)

Right now it's only reported as working by chrome 40.0+ and android chrome 40.0+ source MDN

w3c spec with examples. http://www.w3.org/TR/CSP2/#directive-plugin-types

paragonie-scott commented 8 years ago

:+1: Yes, this should definitely be supported.